Skip to content

fix(deps): vuln minor upgrades — 8 packages (minor: 6 · patch: 2) #331

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/0-1783380178
Draft

fix(deps): vuln minor upgrades — 8 packages (minor: 6 · patch: 2) #331
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/pip/0-1783380178

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: High-severity security update — 8 packages upgraded (MINOR changes included)

Manifests changed:

  • . (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
urllib3 2.6.3 2.7.0 minor Direct 4 HIGH
mako 1.3.10 1.3.12 patch Direct 3 HIGH
pyjwt 2.12.1 2.13.0 minor Direct 2 HIGH, 6 MEDIUM, 2 LOW
idna 3.11 3.18 minor Direct 2 MEDIUM
requests 2.32.5 2.34.2 minor Direct 2 MEDIUM
pytest 9.0.2 9.0.3 patch Direct 2 MEDIUM
pydantic-settings 2.13.1 2.14.2 minor Direct 1 MEDIUM
pygments 2.19.2 2.20.0 minor Direct 1 LOW

Security Details

🚨 Critical & High Severity (9 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
mako GHSA-2h4p-vjrc-8xpq HIGH Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup 1.3.10 1.3.12 -
mako PYSEC-2026-88 HIGH - 1.3.10 1.3.11 -
mako GHSA-v92g-xgxw-vvmm HIGH Mako: Path traversal via double-slash URI prefix in TemplateLookup 1.3.10 1.3.11 -
pyjwt GHSA-xgmm-8j9v-c9wx HIGH PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed 2.12.1 2.13.0 -
pyjwt PYSEC-2026-179 HIGH - 2.12.1 2.13.0 -
urllib3 GHSA-qccp-gfcp-xxvc HIGH urllib3: Sensitive headers forwarded across origins in proxied low-level redirects 2.6.3 2.7.0 -
urllib3 PYSEC-2026-141 HIGH - 2.6.3 2.7.0 -
urllib3 PYSEC-2026-142 HIGH - 2.6.3 2.7.0 -
urllib3 GHSA-mf9v-mfxr-j63j HIGH urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API 2.6.3 2.7.0 -
ℹ️ Other Vulnerabilities (16)
Package CVE Severity Summary Unsafe Version Fixed In Case
idna GHSA-65pc-fj4g-8rjx MODERATE Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix 3.11 3.15 -
idna PYSEC-2026-215 MODERATE - 3.11 3.15 -
pydantic-settings GHSA-4xgf-cpjx-pc3j MODERATE pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size 2.13.1 2.14.2 -
pyjwt GHSA-jq35-7prp-9v3f MODERATE PyJWT: Algorithm allow-list bypass when decoding with PyJWK / PyJWKClient keys 2.12.1 2.13.0 -
pyjwt PYSEC-2026-176 MODERATE - 2.12.1 2.12.1 -
pyjwt PYSEC-2026-178 MODERATE - 2.12.1 2.13.0 -
pyjwt GHSA-w7vc-732c-9m39 MODERATE PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS 2.12.1 2.13.0 -
pyjwt PYSEC-2026-175 MODERATE - 2.12.1 2.13.0 -
pyjwt GHSA-993g-76c3-p5m4 MODERATE PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes 2.12.1 2.13.0 -
pytest GHSA-6w46-j5rx-g56g MODERATE pytest has vulnerable tmpdir handling 9.0.2 9.0.3 -
pytest CVE-2025-71176 MODERATE - 9.0.2 - -
requests GHSA-gc5v-m9x4-r6x2 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.32.5 2.33.0 -
requests CVE-2026-25645 MODERATE Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function 2.32.5 - -
pygments GHSA-5239-wwwm-4pmq LOW Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching 2.19.2 2.20.0 -
pyjwt PYSEC-2026-177 LOW - 2.12.1 2.13.0 -
pyjwt GHSA-fhv5-28vv-h8m8 LOW PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS) 2.12.1 2.13.0 -
⚠️ Dependencies that have Reached EOL (3)
Dependency Unsafe Version EOL Date New Version Path
idna 3.11 - 3.18 requirements-tests.txt
pyjwt 2.12.1 - 2.13.0 requirements-tests.txt
requests 2.32.5 - 2.34.2 requirements-tests.txt

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-6

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/lemur | test   View in Datadog   GitLab

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: fd77613 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants